Cisco 640-553

CISCO 640-553 IINS Implementing Cisco IOS Network Security

Practice Test
Version 1.8

Cisco 640-553: Practice Exam QUESTION NO: 1 Examine the following options, which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10? A. access-list 101 permittcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030 B. access-list 101permit tcp any eq 3030 C. access-list 101permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www D. access-list 101permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www Answer: D

QUESTION NO: 2 DRAG DROP

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

Ac

tua

lTe

sts

.co

m

Drag three proper statements about the IPsec protocol on the above to the list on the below.

2

Cisco 640-553: Practice Exam

QUESTION NO: 3

Answer: A

QUESTION NO: 4 The information of Cisco Router and Security Device Manager(SDM) is shown below:

"Pass Any Exam. Any Time." - www.actualtests.com

Ac

A. Roughly 50 percent B. Roughly 66 percent C. Roughly 75 percent D. Roughly 10 percent

tua

In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key that decrypts the data?

lTe

sts

.co

m

3

Any Time.com Ac tua lTe sts ." .www.co m 4 .actualtests. what is the action assigned to the traffic class "class-default"? A. inspect "Pass Any Exam.Cisco 640-553: Practice Exam Within the "sdm-permit" policy map.

" . police D.com Ac tua lTe sts .Cisco 640-553: Practice Exam B. drop C.www. Answer: "Pass Any Exam. pass Answer: B QUESTION NO: 5 DRAG DROP On the basis of the description of SSL-based VPN. Any Time. place the correct descriptions in the proper locations.co m 5 .actualtests.

" . B. C. Access-list 101 will prevent address spoofing from interface E0. This ACL will prevent any host on the Internet from spoofing the inside network address as the source address for packets coming into the router from the Internet. "Pass Any Exam.com 6 Ac tua lTe sts .Cisco 640-553: Practice Exam QUESTION NO: 6 Which description is correct based on the exhibit and partial configuration? A.0 will be permitted.0. All traffic destined for network 172.16.150. Any Time.www.0.actualtests. All traffic from network 10.co m . D.0 will be denied due to the implicitdeny all.

MARS Answer: B QUESTION NO: 10 You work as a network engineer.which one can be used to authenticate the IPsec peers during IKE Phase 1? A. which management topology keeps management traffic isolated from production traffic? A. integrity check value C. They use different keys for decryption but the same key for encryption of data.com 7 Ac tua lTe sts . OTP B. Any Time. OOB C. XAUTH D. C.Cisco 640-553: Practice Exam Answer: C QUESTION NO: 7 For the following items .co m ." . do you know an IPsec tunnel is negotiated within the protection of which type of tunnel? "Pass Any Exam. B. Answer: C QUESTION NO: 9 For the following items. They use the same key for encryption and decryption of data. They use the same key for decryption but different keys for encryption of data.actualtests. They use different keys for encryption and decryption of data.www. pre-shared key B. D. SAFE D. Diffie-Hellman Nonce Answer: A QUESTION NO: 8 Which description about asymmetric encryption algorithms is correct? A.

The enable secret password is hashed using SHA. The enable secret password is encrypted using Cisco proprietary level 5 encryption. The enable secret password is for accessing exec privilege level 5. Any Time. Enable Default IOS Signature D.actualtests. Answer: C QUESTION NO: 12 Answer: B QUESTION NO: 13 Which statement best describes Cisco IOS Zone-Based Policy Firewall? A. Policy maps are used to classify traffic into different traffic classes. L2F tunnel B. Enable Signature Default B.when editing global IPS settings. Enable Engine Fail Closed C. ISAKMP tunnel Answer: D QUESTION NO: 11 As a candidate for CCNA examination. E.www. Enable Fail Opened tua Examine the following options . L2TP tunnel C. what does it indicate? A. if you input the command "enable secret level 5 password" in the global mode . Set the enable secret command to privilege level 5. "Pass Any Exam. and class maps are used to assign action to the traffic classes. B.com 8 Ac A. The enable secret password is hashed using MD5. C. A router interface can belong to multiple zones. which one determines if the IOSbased IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled? lTe sts . The pass action works in only one direction.co m . when you are familiar with the basic commands. C. B.Cisco 640-553: Practice Exam A. D." . GRE tunnel D.

A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair in both directions. It cannot support UDP flows.actualtests. The status of TCP sessions is retained in the state table after the sessions terminate. Answer: C QUESTION NO: 14 Which feature is a potential security weakness of a traditional stateful firewall? A. C.Cisco 640-553: Practice Exam D.com Ac tua lTe sts ." . B.co m Answer: C 9 . QUESTION NO: 15 LAB "Pass Any Exam. D.www. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake. Any Time. It cannot detect application-layer attacks.

com Ac tua lTe sts .www.co m 10 ." . Any Time.Cisco 640-553: Practice Exam "Pass Any Exam.actualtests.

Any Time." .com Ac tua lTe sts .co m 11 .Cisco 640-553: Practice Exam "Pass Any Exam.actualtests.www.

Any Time." .co m How does CLI view differ from a privilege level? 12 .www. a CLI view is used on a Catalyst switch. D. A CLI view supports only commands configured for that specific view. B. A CLI view can function withouta AAA configuration.Cisco 640-553: Practice Exam Explanation: Switch1>enable Switch1#config t Switch1( config )#interface fa0/12 Switch1( config -if)# switchport mode access Switch1( config -if)# switchport port-security maximum 2 Switch1( config -if)# switchport port-security violation shutdown Switch1( config -if)#no shut Switch1( config -if)#end Switch1#copy run start QUESTION NO: 16 Answer: A . whereas a privilege level supports commands available to that level and all the lower levels.. whereas a privilege level allows a user to make changes to an IOS configuration. Answer: "Pass Any Exam.actualtests. A CLI view and a privilege level perform the same function. whereas a privilege level requires AAA to be configured. whereas a privilege level is used on an IOS router. However.com Ac QUESTION NO: 17 HOTSPOT tua lTe A. C. A CLI view supports only monitoring commands. sts .

Any Time. C. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port." . QUESTION NO: 19 DRAG DROP On the basis of the Cisco IOS Zone-Based Policy Firewall. D. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface. B.actualtests.www.co m 13 .com Ac tua lTe sts Answer: D .Cisco 640-553: Practice Exam QUESTION NO: 18 Which statement best describes configuring access control lists to control Telnet traffic destined to the router itself? A. The ACL is applied to the Telnet port with the ip access-group command. which three types zone? "Pass Any Exam. The ACL must be applied to each vty line individually. by default.

Any Time.www." .actualtests.com Ac tua lTe Answer: sts .co m 14 .Cisco 640-553: Practice Exam Drag three proper characterizations on the above to the list on the below. "Pass Any Exam.

setup exec command and the SDM Security Audit wizard C.www. takes a variable-length message and produces a 168-bit message digest C.actualtests. takes a variable-length message and produces a 128-bit message digest Answer: D QUESTION NO: 21 For the following options .Cisco 640-553: Practice Exam QUESTION NO: 20 What is the MD5 algorithm used for? A.which one accurately matches the CLI command(s) to the equivalent SDM wizard that performs similar configuration functions? A." . Cisco Common Classification Policy Language configuration commands and the SDM Site-toSite VPN wizard Answer: C QUESTION NO: 22 CORRECT TEXT .com Ac tua lTe sts . takes a message less than 2^64 bits as input and produces a 160-bit message digest D.co m 15 . takes a fixed-length message and produces a 128-bit message digest B. aaa configuration commands and the SDM Basic Firewall wizard B. "Pass Any Exam. auto secure exec command and the SDM One-Step Lockdown wizard D. Any Time.

Cisco 640-553: Practice Exam "Pass Any Exam.com Ac tua lTe sts . Any Time.co m 16 ." .www.actualtests.

The period of time in which virtual logins are blocked as security services fully initialize C.Cisco 640-553: Practice Exam input answer here: Answer: 1 QUESTION NO: 23 When configuring Cisco IOS login enhancements for virtual connections.www. A period of time when no one is attempting to log in D. what is the "quiet period"? A. following repeated failed login attempts B. The period of time in which virtual login attempts are blocked. The period of time between successive login attempts "Pass Any Exam. Any Time." .co m 17 .actualtests.com Ac tua lTe sts .

D. since the quiet-mode access list has not been configured. "Pass Any Exam. The login block-for command is configured to block login hosts for 93 seconds. Three or more login requests have failed within the last 100 seconds. All logins from any sources are blocked for another 193 seconds.co m . C. Any Time.Cisco 640-553: Practice Exam Answer: A QUESTION NO: 24 Based on the following items. Loopback interface B.com 18 Ac tua lTe sts . and HTTP. SSH." . When the router goes into quiet mode.actualtests. Monitoring interface D. what will happen when the switch's CAM table fills to capacity and a new frame arrives? A. Management interface Answer: B.) A. which two types of interfaces are found on all network-based IPS sensors? (Choose two.C QUESTION NO: 25 Which description is true about the show login command output displayed in the exhibit? A. Answer: A QUESTION NO: 26 If a switch is working in the fail-open mode. B. any host is permitted to access the router via Telnet.www. A copy of the frame is forwarded out all switch ports other than the port the frame was received on. Command and control interface C.

C. Service timestamps have been globally enabled. This is a normal system-generated information message and does not require further investigation.www." . Answer: "Pass Any Exam.actualtests. B.D QUESTION NO: 28 HOTSPOT . Any Time. The switch sends a NACK segment to the frame's source MAC address.Cisco 640-553: Practice Exam B. This message is a level 5 notification message.com Ac tua lTe sts . Answer: A QUESTION NO: 27 Given the exhibit below. which two descriptions are correct? (Choose two. You are a network manager of your company.co A. This message is unimportant and can be ignored..) Answer: B. The frame is dropped. The frame is transmitted on the native VLAN. m 19 . D. D. You are reading your Syslog server reports. C. On the basis of the Syslog message shown.

actualtests.CK2 and CK3 B.CK2 and CK4 RADIUS . Any Time. What is the reason that Cisco still support the use of both enable secret and enable passwords in a router's configuration? "Pass Any Exam. TACACS+ ." .CK1 and CK3 RADIUS . RADIUS based on the exhibit shown? A.CK1 and CK3 C. Signature-based spyware filtering Answer: D QUESTION NO: 30 Which statement best describes the relationships between AAA function and TACACS+.Cisco 640-553: Practice Exam QUESTION NO: 29 What will be enabled by the scanning technology-The Dynamic Vector Streaming (DVS)? A. if the password-encryption service is not enabled). Layer 4 virus detection D. TACACS+ .com 20 Ac tua lTe sts . whereas the enable password is not hashed (or encrypted. Signature-based virus filtering C.CK2 and CK4 D.CK2 and CK3 RADIUS . TACACS+ .co m . Firmware-level virus detection B.CK1 and CK4 RADIUS . TACACS+ .CK1 and CK4 Answer: B QUESTION NO: 31 The enable secret password appears as an MD5 hash in a router's configuration file.www.

actualtests. Answer: A QUESTION NO: 32 When configuring AAA login authentication on Cisco routers. whereas the enable secret password is used for IKE Phase II.co m 21 . state Answer: E "Pass Any Exam. D. the enable password is used to match the password that was entered. Because the enable secret password is a hash. enable F.www. reflexive ACL B.E QUESTION NO: 33 Which kind of table will be used by most firewalls today to keep track of the connections through the firewall? A. if-authenticated Answer: C. B. queuing D. group RADIUS B." .) A. The enable password is considered to be a router's public key. and the enable secret is used to verify that the enable password has not been modified since the hash was generated. netflow E. group TACACS+ C. Any Time. Therefore. it cannot be decrypted. dynamic ACL C. whereas the enable secret password is considered to be a router's private key. C. local D. The enable password is present for backward compatibility.com Ac tua lTe sts . krb5 E. The enable password is used for IKE Phase I.Cisco 640-553: Practice Exam A. which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.

It is encrypted using DH group 5. VPN. including firewall. It is encrypted using a proprietary Cisco encryption algorithm.co QUESTION NO: 35 m . Cisco PIX 500 series security appliance C. It is hashed using MD5.Cisco 640-553: Practice Exam QUESTION NO: 34 Based on the username global configuration mode command displayed in the exhibit. Two secret keys B. Answer: A Before a Diffie-Hellman exchange may begin. Twononsecret keys C. antivirus.com 22 Ac tua lTe sts . D. and antiphishing features? A. Cisco 4200 series IPS appliance D. What does the option secret 5 indicate about the enable secret password? A. Cisco ASA 5500 series security appliance Answer: D QUESTION NO: 37 Which three items are Cisco best-practice recommendations for securing a network? (Choose three.actualtests. IPS. Any Time. B. C. It is hashed using SHA. antispyware." . Two secret numbers D.) "Pass Any Exam.www. Cisco IOS router B. the two parties involved must agree on what? A. Twononsecret numbers Answer: D QUESTION NO: 36 Examine the following items. which one offers a variety of security solutions.

Cisco 640-553: Practice Exam A. Routinely apply patches to operating systems and applications. B. Disable unneeded services and ports on hosts. C. Deploy HIPS software on all end-user workstations. D. Require strong passwords, and enable password expiration. Answer: A,B,D

QUESTION NO: 38 What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX? A. Configuration interceptor B. Network interceptor C. File system interceptor D. Execution space interceptor Answer: A

QUESTION NO: 39 HOTSPOT ..

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

Ac

tua

lTe

sts

.co

m

23

Cisco 640-553: Practice Exam QUESTION NO: 40 Information about a managed device??s resources and activity is defined by a series of objects. What defines the structure of these management objects? A. MIB B. FIB C. LDAP D. CEF Answer: A

QUESTION NO: 41

Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied? A. to the zone-pair B. to the zone C. to the interface D. to the global service policy Answer: A

QUESTION NO: 43 Which statement is true about vishing? A. Influencing users to forward a call to a toll number (for example, a long distance or international number) B. Influencing users to provide personal information over a web page "Pass Any Exam. Any Time." - www.actualtests.com 24

Ac

tua

QUESTION NO: 42

lTe

Answer: C

sts

A. when using the established keyword, a location close to the destination point to ensure that return traffic is allowed B. an intermediate location to filter as much traffic as possible C. a location as close to the source traffic as possible D. a location as close to the destination traffic as possible

.co

m

Which location will be recommended for extended or extended named ACLs?

Cisco 640-553: Practice Exam C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number) D. Influencing users to provide personal information over the phone Answer: D

QUESTION NO: 44 Which item is the great majority of software vulnerabilities that have been discovered? A. Stack vulnerabilities B. Heap overflows C. Software overflows D. Buffer overflows Answer: D

QUESTION NO: 45 CORRECT TEXT ..

"Pass Any Exam. Any Time." - www.actualtests.com

Ac

tua

lTe

sts

.co

m

25

www.co m 26 ." .Cisco 640-553: Practice Exam "Pass Any Exam.com Ac tua lTe sts . Any Time.actualtests.

com Ac tua lTe sts .co m 27 . Any Time." .actualtests. Cryptotext D.6 QUESTION NO: 46 Which one of the following items may be added to a password stored in MD5 to make it more secure? A.Cisco 640-553: Practice Exam input answer here: Answer: 3. Salt C. Rainbow table Answer: B "Pass Any Exam. Ciphertext B.www.

www. SHA-135 C.Cisco 640-553: Practice Exam QUESTION NO: 47 HOTSPOT Answer: Which example is of a function intended for cryptographic hashing? A." .com 28 Ac tua QUESTION NO: 48 lTe sts . HMAC B. RSA C. XR12 D.co m . MD65 B. Any Time.actualtests. MD5 "Pass Any Exam. MD5 Answer: D QUESTION NO: 49 Which algorithm was the first to be found suitable for both digital signing and encryption? A.

Which statement best describes the relationships between the attack method and the result? A. Secret sts Which classes does the U. SBU D. CK3 and CK5 "Pass Any Exam.com 29 Ac tua lTe A. Top-secret B. Ping Sweep .S.CK2 and CK4 Port Scan . Host-based IPS deployment requires less planning than network-based IPS." .actualtests.) . Confidential C. SHA-1 Answer: B QUESTION NO: 50 Which is the main difference between host-based and network-based intrusion prevention? A. QUESTION NO: 51 Answer: A.www. Host-based IPS can work in promiscuous mode or inline mode.D QUESTION NO: 52 With the increasing development of network. various network attacks appear.CK1. D. B.co m Answer: B . Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows. Any Time. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers. government place classified data into? (Choose three.B.Cisco 640-553: Practice Exam D. C.

Ping Sweep . You must then specify the general-purpose key size used for authentication with the crypto key generatersa general-keys modulus command. aaa new-model command B. C.com. CK4 and CK5 D. secret password for the root user C.com 30 Ac tua lTe sts . CK4 and CK5 Answer: A QUESTION NO: 53 Which three options are network evaluation techniques? (Choose three.D QUESTION NO: 54 What should be enabled before any user views can be created during role-based CLI configuration ? A.actualtests. Using password-cracking utilities Answer: B.) A. Any Time. CK3 and CK4 C. B.CK2. Which description is correct when you have generated RSA keys on your Cisco router to prepare for secure device management? A. Performing virus scans C. Performing end-user training on the use of antispyware software B. You must thenzeroize the keys to reset secure shell before configuring other parameters.CK1 and CK3 Port Scan . usernames and passwords D.CK1. Ping Sweep . multiple privilege levels Answer: A QUESTION NO: 55 You are a network technician at Certpaper.www.CK1 and CK5 Port Scan ." .Cisco 640-553: Practice Exam B. Ping Sweep . Allvty ports are automatically enabled for SSH to provide secure management.CK2. "Pass Any Exam.C.co m . Scanning a network for active IP addresses and open ports on those IP addresses D.CK2 and CK3 Port Scan .

D.co m Answer: A 31 .B. front door attacks F. buffer Unicode attack D. The Cisco IOS image file will not be visible in the output from the show flash command. the Cisco IOS image will be loaded from a secured FTPlocation.D. Answer: D QUESTION NO: 56 Which result is of securing the Cisco IOS image by use of the Cisco IOS image resilience feature? A.Cisco 640-553: Practice Exam D.com Ac tua A.) . C. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server. privilege escalation attack C. Trojan horse attack lTe sts What are four methods used by hackers? (Choose four. QUESTION NO: 57 Answer: A. B. The show version command will not show the Cisco IOS image file location. social engineering attack E. footprint analysis attack B. When the router boots up." . Any Time.F QUESTION NO: 58 Which are the best practices for attack mitigations? "Pass Any Exam.www.actualtests. The SSH protocol is automatically enabled.

CK6 and CK8 32 .www. CK5. CK4.co m A. sts .actualtests. CK6 and CK8 B. CK6 and CK7 C. CK2." . CK5.Cisco 640-553: Practice Exam Answer: A QUESTION NO: 59 DRAG DROP Answer: "Pass Any Exam. CK6 and CK7 E. CK2. CK3. Any Time.com Ac tua lTe Drag two characteristics of the SDM Security Audit wizard on the above to the list on the below. CK3. CK1. CK3 and CK5 D. CK2. CK2.

actualtests. Any Time." .co m 33 .www.Cisco 640-553: Practice Exam QUESTION NO: 60 The information of Cisco Router and Security Device Manager(SDM) is shown below: "Pass Any Exam.com Ac tua lTe sts .

www." . Any Time.Cisco 640-553: Practice Exam Within the "sdm-inspect" policy map.com Ac tua lTe sts .co m 34 .) "Pass Any Exam.actualtests. what is the action assigned to the traffic class "sdm-invalidsrc". and which traffic is matched by the traffic class "sdm-invlid-src" ? (Choose two.

A trusted third party responsible for signing the public keys of entities in aPKIbased system D.Cisco 640-553: Practice Exam A." . D.com Ac tua lTe sts . traffic matched by the nested "sdm-cls-insp-traffic" class map B. An entity responsible for registering the private key encryption used in a PKI B. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block. and recovery "Pass Any Exam.actualtests. applications. A trusted third party responsible for signing the private keys of entities in aPKIbased system Answer: C QUESTION NO: 63 Which statement is not a reason for an organization to incorporate a SAN in its enterprise infrastructure? A. inspect/log D. Answer: D QUESTION NO: 62 Which statement is true about a certificate authority (CA)? A. C.B QUESTION NO: 61 Which description is true about ECB mode? A. In ECB mode. To meet changing business priorities. traffic matched by ACL 104 Answer: A.www. An agency responsible for granting and revoking public-private key pairs C. backup. Any Time. each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block. To decrease both capital and operating expenses associated with data storage B. and revenue growth D. traffic matched by ACL 105 C. To decrease the threat of viruses and worm attacks against data storage devices C. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block.co m 35 . B. To increase the performance of long-distance replication. each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block. In ECB mode.

Selecting the interface to which the IPS rule will be applied B.actualtests. VPN C.B. STP D. You can click on the grey buttons below to view the different windows. UDP port 1812 B. Selecting the inspection policy that will be applied to the interface Answer: A.co Which three statements are valid SDM configuration wizards? (Choose three.Cisco 640-553: Practice Exam Answer: B QUESTION NO: 64 Which two ports are used with RADIUS authentication and authorization?(Choose two.) A. "Pass Any Exam.D QUESTION NO: 66 With which three tasks does the IPS Policies Wizard help you? (Choose three.) m . UDP port 2000 C.D QUESTION NO: 65 Answer: A.www." . Selecting the direction of traffic that will be inspected D. NAT B.B.) A. TCP port 2002 D.com 36 Ac tua lTe sts A. UDP port 1645 Answer: A.C QUESTION NO: 67 Instructions To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router. Any Time. Security Audit . Selecting the Signature Definition File (SDF) that the router will use C.

actualtests.You can also reposition a window by dragging it by the title bar.www." .co m 37 .com Ac tua lTe sts . Any Time. The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and are not necessary to complete this simulation. "Pass Any Exam.Cisco 640-553: Practice Exam Each of the windows can be minimized by clicking on the [-].

F. takes a snapshot of the router running configuration and securely archives it in persistent storage B. BPA attack B. which two attacks focus on RSA? (Choose all that apply.www. Answer: D. FastEthernet0/0 and 0/1 are associated to the "out-zone" zone.) A. FastEthernet0/0 and 0/1 are associated to the "in-zone" zone. Any Time.E QUESTION NO: 68 Observe the following options carefully. UplinkFast "Pass Any Exam.Cisco 640-553: Practice Exam Which two options correctly identify the associated interface with the correct security zone? (Choose two. which Spanning Tree Protocol (STP) protection mechanism disables a switch port if the port receives a Bridge Protocol Data Unit (BPDU)? A. Adaptive chosenciphertext attack C.actualtests. E. B. DDoS attack D." . enables Cisco IOS image resilience . backs up the Cisco IOS image from flash to a TFTP server D. Man-in-the-middle attack Answer: A. FastEthernet0/0 and 0/1 are not associated to any zone. stores a secured copy of the Cisco IOS image in its persistent storage C. FastEthernet0/1 is associated to the "out-zone" zone.B QUESTION NO: 70 Examine the following options . C. FastEthernet0/0 and 0/1 are associated to the "self" zone.com Ac tua QUESTION NO: 69 lTe Answer: A sts A.co m What is the purpose of the secure boot-config global configuration ? 38 . FastEthernet0/0 is associated to the "in-zone" zone. D.) A.

Root Guard Answer: C QUESTION NO: 71 Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted messages and messages with digital signatures? A. PKCS #10 D. PKCS #12 Answer: A Which one is the most important based on the following common elements of a network design? A. Restrict access to firewalls C. Risk analysis C.www. Business needs B.actualtests. PortFast C. PKCS #8 C.com Ac tua lTe sts QUESTION NO: 72 . BPDU Guard D. Use logs and alerts D.co m 39 ." . Security policy D. Segment security zones B. PKCS #7 B. Any Time. Best practices Answer: A QUESTION NO: 73 Which firewall best practices can help mitigate worm and other automated attacks? A. Set connection limits Answer: D "Pass Any Exam.Cisco 640-553: Practice Exam B.

Proxy firewall C. Answer: D QUESTION NO: 75 Which type of firewall is needed to open appropriate UDP ports required for RTP streams? A. C. Any Time. and that information system changes do not compromise a system's security? "Pass Any Exam. It requires the use ofnetBT as the network protocol." . It is restricted in size to only three segments. aaa authentication enable default C. aaa authentication enable level D. It relies on an underlying Public Key Infrastructure (PKI).www. Stateless firewall Answer: A Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level? A. that data can be recovered from backups.Cisco 640-553: Practice Exam QUESTION NO: 74 For the following statements.com Ac tua QUESTION NO: 76 lTe sts .actualtests. aaa authentication enable method default B. Stateful firewall B. aaa authentication enable default local Answer: B QUESTION NO: 77 For the following attempts. which one is to ensure that no one employee becomes a pervasive security threat. D. It requires the implementation of IKE. B. Packet filtering firewall D.co m 40 . which one is perceived as a drawback of implementing Fibre Channel Authentication Protocol (FCAP)? A.

CK4 and CK5 D. Disaster recovery C. IKE Phase 1 . Diffie-Hellman Answer: A "Pass Any Exam.CK2 and CK4 IKE Phase 2 .www. IKE Phase 1 . AES B.actualtests.CK1 and CK4 IKE Phase 2 .CK2. Any Time.CK2 and CK3 IKE Phase 2 . CK4 and CK5 lTe sts . which one is the strongest symmetrical encryption algorithm? A. CK3 and CK5 B. Implementation security D.CK3. 3DES C. Strategic security planning B. Operations security Answer: D QUESTION NO: 78 Which item is the correct matching relationships associated with IKE Phase? Answer: A QUESTION NO: 79 For the following statements." .co m 41 .CK1. DES D. IKE Phase 1 .Cisco 640-553: Practice Exam A. CK3 and CK5 C.CK1. IKE Phase 1 .com Ac tua A.CK1 and CK2 IKE Phase 2 .

ATA D.co m The information of Cisco Router and Security Device Manager(SDM) is shown below: 42 .Cisco 640-553: Practice Exam QUESTION NO: 80 Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a target device? A. SCSI B." .www. HBA C.com Ac tua lTe sts . Any Time.actualtests. iSCSI Answer: A QUESTION NO: 81 "Pass Any Exam.

www. Any Time." .Cisco 640-553: Practice Exam Which three protocols are matched by the "sdm-cls-insp-traffic" class map? (Choose three) A.actualtests.com Ac tua lTe sts .co m 43 . pop3 "Pass Any Exam.

D.password database on the router. C.Cisco 640-553: Practice Exam B. The Turbo ACL feature leads to reduced latency. Turbo ACLs increase the CPU load by matching the packet to a predetermined list. with the transformations varying during the encryption "Pass Any Exam. because the time it takes to match the packet is variable. It specifies the login authorization method list named console-in using the local RADIUS username-password database. Individual blocks. one at a time. It specifies the login authentication method list named console-in using the local user database on the router. C. one at a time.com 44 Ac tua lTe What is the objective of the aaa authentication login console-in local command? sts . Any Time.B. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency. ftp C. B. It specifies the login authentication list named console-in using the local username. B.co m . Individual digits. The Turbo ACL feature leads to increased latency. sql-net Answer: A. D.www. Answer: A QUESTION NO: 84 Stream ciphers run on which of the following? A. Fixed-length groups of digits called blocks B. Answer: A. It specifies the login authorization method list named console-in using the local usernamepassword database on the router.actualtests. with the transformations varying during the encryption C.D QUESTION NO: 82 Which statement best describes the Turbo ACL feature? (Choose all that apply.C QUESTION NO: 83 A. 12tp D. because the time it takes to match the packet is fixed and consistent." .) A.

www. The port remains enabled." .Cisco 640-553: Practice Exam D. Any Time. D. uses the built-in signatures that come with the Cisco IOS image as backup C. SYSLOG. B. QUESTION NO: 86 Answer: D QUESTION NO: 87 Regarding constructing a good encryption algorithm. Altering the key length causes theciphertext to be completely different. requires the Basic or Advanced Signature Definition File B. The port's violation mode is set to restrict.com Ac tua lTe A. D. C. C. The port is shut down. Altering the key length causes the plain text to be completely different. The MAC address table is cleared and the new MAC address is entered into the table. uses Cisco IPS 5. and SNMP for sending Cisco IPS alerts D. what does creating an avalanche effect indicate? A. supports SDEE. Fixed-length groups of bits called blocks Answer: C QUESTION NO: 85 After enabling port security on a Cisco Catalyst switch. Changing only a few bits of aciphertext message causes the plain text to be completely different.actualtests. B. Changing only a few bits of a plain-text message causes theciphertext to be completely different.4(11)T and later ? . Answer: D "Pass Any Exam.x signature format sts Which item is correct regarding Cisco IOS IPS on Cisco IOS Release 12. what is the default action when the configured maximum of allowed MAC addresses value is exceeded? A. but bandwidth is throttled until old MAC addresses are aged out.co m Answer: B 45 .

com Ac tua lTe sts . and. B. traffic is routed out interface Serial 1. D. password encryption service B.co m 46 .Cisco 640-553: Practice Exam QUESTION NO: 88 A standard access control list has been configured on a router and applied to interface Serial 0 in an outbound direction. Answer: A QUESTION NO: 89 What will be disabled as a result of the no service password-recovery command? A. The traffic is dropped. No ACL is applied to Interface Serial 1 on the same router. The resulting action is determined by the destination IP address. The resulting action is determined by the destination IP address and port number. The source IP address is checked. if a match is not found. Any Time." . thexmodem privilege EXEC mode command to recover the Cisco IOS image D.www. ROMMON Answer: D QUESTION NO: 90 The information of Cisco Router and Security Device Manager(SDM) is shown below: "Pass Any Exam. C. changes to theconfig-register setting C.actualtests. What will happen when traffic being filtered by the access list does not match the configured ACL statements for Serial 0? A.

actualtests.www.com Ac tua lTe sts .co m 47 . Any Time.Cisco 640-553: Practice Exam Which poicy map is associated to the "adm-zp-in-out" security zone pair? A. sdm-permit-icmpreply "Pass Any Exam." .

sdm-insp-traffic Answer: B QUESTION NO: 91 HOTSPOT Answer: QUESTION NO: 92 Which statement is true about a Smurf attack? A.actualtests. D. Answer: C QUESTION NO: 93 When using the Cisco SDM Quick Setup Siteto-Site VPN wizard. Any Time.Cisco 640-553: Practice Exam B." . sdm-inspect D. C.com 48 Ac tua lTe sts .co m . requesting that devices on that subnet send ping replies to a target system. adm-permit C. B. It intercepts the third step in a TCP three-way handshake to hijack a session. which can be used to launch a coordinatedDDoS attack. which three parameters do you configure? (Choose three. It uses Trojan horse applications to create a distributed collection of "zombie" computers. It sends ping requests in segments of an invalid size.) "Pass Any Exam.www. It sends ping requests to a subnet.

D QUESTION NO: 94 On the basis of the show policy-map type inspect zone-pair session command output provided in the exhibit.What can be determined about this Cisco IOS zone based firewall policy? A. Any Time. B. Transform set for theIPsec tunnel D. All packets will be dropped since the class-default traffic class is matching all traffic. D. Answer: A QUESTION NO: 95 Which name is of the e-mail traffic monitoring service that underlies that architecture of IronPort? "Pass Any Exam. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less secured zone).co m 49 .B. C. Interface for the VPN connection Answer: A. IP address for the remote peer C. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone).actualtests." . Source interface where encrypted traffic originates B.www. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.Cisco 640-553: Practice Exam A.com Ac tua lTe sts .

Any Time..www. With a method statement Answer: C . "Pass Any Exam." .Cisco 640-553: Practice Exam A.co m 50 . With a method list D. SenderBase B. IronPort M-Series D.actualtests. With the method command C.com Ac tua lTe sts QUESTION NO: 97 CORRECT TEXT . With the methodaaa command B. TrafMon C. E-Base Answer: A QUESTION NO: 96 How do you define the authentication method that will be used with AAA? A.

Cisco 640-553: Practice Exam "Pass Any Exam." .www.com Ac tua lTe sts .actualtests. Any Time.co m 51 .

" . From the default rules shown.actualtests. You are the network security administrator responsible for router security.Cisco 640-553: Practice Exam Answer: 4 QUESTION NO: 98 Refer to the exhibit.www.co m 52 .com Ac tua input answer here: lTe sts . Any Time. Your network uses internal IP addressing according to RFC 1918 specifications. which access control list would prevent IP address spoofing of these internal networks? "Pass Any Exam.

CK4. CK2 and CK3 Asymmetric .www.CK2.co m A. SDM_Default_197 B. sts .CK2. CK5 and CK6 "Pass Any Exam." .Cisco 640-553: Practice Exam Answer: D QUESTION NO: 99 A.actualtests.com 53 Ac tua lTe Please choose the correct matching relationships between the cryptography algorithms and the type of algorithm. Any Time. CK4 and CK5 Asymmetric . Symmetric .CK1. SDM_Default_198 . SDM_Default_196 D.CK1. CK3 and CK6 B. Symmetric .CK1. CK4 and CK5 Asymmetric . Symmetric . SDM_Default_199 C. CK3 and CK6 C.

Tunnel Answer: B QUESTION NO: 101 Refer to the exhibit. Any Time. The tunnel is down because the transform set needs to include the Authentication Header parameter.www. C. D. CK5 and CK6 Asymmetric .CK1. which statement is true? A.actualtests.Cisco 640-553: Practice Exam D.co m ." . CK3 and CK4 Answer: A QUESTION NO: 100 For the following items. This VPN configuration will not work because the tunnel IP and peer IP are the same. Broadband service B. Headend VPN device C. Which will be necessarily taken into consideration when implementing Syslogging in your network? "Pass Any Exam. It should be configured as a DynamicIPsec policy.com 54 Ac tua lTe sts . you are responsible for Certpaper network. Symmetric . Traffic that matches access list 103 will be protected. VPN access device D. B. which one acts as a VPN termination device and is located at a primary network location? A. Based on the VPN connection shown.CK2. The tunnel is down as result of being a static rule.com. Answer: A QUESTION NO: 102 As a network engineer at Certpaper.

used between the initiator and the responder to establish a basic security policy C. used to establish a symmetric shared key via a public key exchange process D. MCU B." . Any Time.actualtests. used for asymmetric public key encryption lTe sts . used to verify the identity of the peer B.com Ac tua A. C. Static secure MAC address B. Use SSH to access yourSyslog information. Log all messages to the system buffer so that they can be displayed when accessing the router. Answer: D QUESTION NO: 103 Which type of MAC address is dynamically learned by a switch port and then added to the switch's running configuration? A. B.co m 55 . Dynamic secure MAC address C. Sticky secure MAC address Answer: D QUESTION NO: 104 What is the objective of Diffie-Hellman? Answer: C QUESTION NO: 105 Which VoIP components can permit or deny a call attempt on the basis of a network's available bandwidth? A.www. Enable the highest level ofSyslogging available to ensure you log all possible event messages. Application server C. D. Syncronize clocks on the network with a protocol such as Network Time Protocol. Pervasive secure MAC address D. Gatekeeper Answer: D "Pass Any Exam.Cisco 640-553: Practice Exam A. Gateway D.

all TCP and UDP header information only Answer: B QUESTION NO: 107 CORRECT TEXT . Any Time." . and additional flags for each TCP or UDP connection associated with a particular session C. TCP sequencing information.com Ac tua lTe sts . the outbound and inbound access rules (ACL entries) D. port numbers.actualtests. the inside private IP address and the translated inside global IP address B. the source and destination IP addresses. "Pass Any Exam.co m 56 .Cisco 640-553: Practice Exam QUESTION NO: 106 Which information is stored in the stateful session flow table while using a stateful firewall? A.www.

" .www.Cisco 640-553: Practice Exam "Pass Any Exam.com Ac tua lTe sts . Any Time.co m 57 .actualtests.

which is the Cisco minimum recommended modulus value? A. 2048 bits B." .www.actualtests. 1024 bits C. Any Time.com Ac tua lTe sts . 256 bits D.co m 58 . 512 bits Answer: B "Pass Any Exam.Cisco 640-553: Practice Exam input answer here: Answer: 3 QUESTION NO: 108 When configuring SSH.

www. B. Authentication D. Authorization B. Creating a back door "Pass Any Exam. Conducting social engineering C.) . Confidentiality C. It requires login credentials. Integrity Answer: D QUESTION NO: 112 Which method is of gaining access to a system that bypasses normal security measures? A. It uses HTTPS. D. based on the UCM user database. It is enabled by default. . It can provide IP address information about other servers in the network. protocol analysis-based Answer: A QUESTION NO: 110 Which option ensures that data is not modified in transit? A.co m Which two statements are correct regarding a Cisco IP phone??s web access feature? (Choose two. Any Time.Cisco 640-553: Practice Exam QUESTION NO: 109 Which type of intrusion prevention technology will be primarily used by the Cisco IPS security appliances? A. profile-based C.actualtests." .C sts A. Starting a Smurf attack B. signature-based B. rule-based D.com 59 Ac tua QUESTION NO: 111 lTe Answer: A. C.

Launching aDoS attack Answer: C QUESTION NO: 113 Which two actions can be configured to allow traffic to traverse an interface when zone-based security is being employed? (Choose two. D. Pass B. CHAP C. Inspect QUESTION NO: 114 Answer: B.) . Flow C.D QUESTION NO: 115 Which two primary port authentication protocols are used with VSANs? (Choose two. lTe sts Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that apply. B.C "Pass Any Exam.Cisco 640-553: Practice Exam D. C. DHCHAP D. Asymmetric algorithms are based on more complex mathematical computations.actualtests. SPAP B.) A.www. Only symmetric algorithms have a key exchange technology built in. Asymmetric algorithms are used quite often as key exchange protocols for symmetric algorithms. ESP Answer: B." . Only asymmetric algorithms have a key exchange technology built in.) A.D 60 . Allow D. Any Time.com Ac tua A.co m Answer: A.C.

B. D. If the TACACS+ AAA server is not available. Log in to the router as the root user. D. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command. aaa accounting system start-stop tacacs+ D. Create a parser view called "root view. C." . The authentication method list used by thevty port is named test.actualtests. no users will be able to establish a Telnet session with the router.www. Enable the root view on the router.co m Which statement is correct regarding the aaa configurations based on the exhibit provided? . The authentication method list used by the console port is named test. tua lTe sts . Answer: C QUESTION NO: 117 Answer: A QUESTION NO: 118 Which one of the aaa accounting commands can be used to enable logging of both the start and stop records for user terminal sessions on the router? A. aaa accounting connection start-stop tacacs+ B. C." B.com 61 Ac A. aaa accounting exec start-stop tacacs+ C. aaa accounting network start-stop tacacs+ "Pass Any Exam.Cisco 640-553: Practice Exam QUESTION NO: 116 When configuring role-based CLI on a Cisco router. console access to the router can be authenticated using the local database. If the TACACS+ AAA server is not available. which action will be taken first ? A. Any Time.

policy management Answer: A .Cisco 640-553: Practice Exam Answer: B QUESTION NO: 119 What is a static packet-filtering firewall used for ? A. It analyzes network traffic at the network and transport protocol layers.www. which feature is the foundation of Cisco Self-Defending Network technology? A." .co m 62 . secure network platform B.actualtests. It evaluates network packets for valid data at the application layer before allowing connections. threat control and containment D.com Ac QUESTION NO: 121 HOTSPOT tua lTe sts . Answer: C QUESTION NO: 120 For the following options. B. C. Answer: "Pass Any Exam. It validates the fact that a packet is either a connection request or a data packet belonging to a connection. Any Time.. It keeps track of the actual communication process through the use of a state table. D. secure connectivity C.

www.Cisco 640-553: Practice Exam QUESTION NO: 122 DRAG DROP Which three common examples are of AAA implementation on Cisco routers? Please place the correct descriptions in the proper locations.com Ac tua lTe sts .co m 63 . Any Time." . Answer: "Pass Any Exam.actualtests.

NTP.which Tasks button permits you to configure such features as SSH. Additional Tasks Answer: D QUESTION NO: 124 In an IEEE 802.com Ac tua If you click the Configure button along the top of Cisco SDM??s graphical interface. Interfaces and Connections B.co m 64 .actualtests. between which two devices EAPOL messages typically are sent? A. SNMP." . and syslog? lTe sts .www. Between the supplicant and the authenticator B.Cisco 640-553: Practice Exam QUESTION NO: 123 A. Any Time. Between the authenticator and the authentication server C. Intrusion Prevention C.1x deployment. Between the supplicant and the authentication server "Pass Any Exam. Security Audit D.

www. The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and are not necessary to complete this simulation. lTe sts . Between the RADIUS server and the authenticator Answer: A QUESTION NO: 125 Which one of the Cisco IOS commands can be used to verify that either the Cisco IOS image. the configuration files. or both have been properly backed up and secured? A. show flash C.You can also reposition a window by dragging it by the title bar.actualtests. Any Time.Cisco 640-553: Practice Exam D.co m Answer: D 65 . show securebootset QUESTION NO: 126 "Pass Any Exam.com Ac tua Instructions To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router." . show file systems D. show archive B. You can click on the grey buttons below to view the different windows. Each of the windows can be minimized by clicking on the [-].

com Ac tua lTe sts .co m 66 .actualtests." .Cisco 640-553: Practice Exam Which statements is correct regarding the "sdm-permit" policy map? A. Traffic not matched by any of the class maps within that policy map will be inspected "Pass Any Exam. Any Time.www.

Signature-based detection B. Honey pot detection D. Any Time. D.CK3 C. INTEGRATED .co m 67 .actualtests.CK2 COLLABORATIVE . INTEGRATED . INTEGRATED . Traffic matching the "SDM_CA_SERVER" traffic class will be dropped. INTEGRATED .CK1 Answer: A "Pass Any Exam. Answer: B QUESTION NO: 127 Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies? A. A.Cisco 640-553: Practice Exam B. Anomaly-based detection C.CK3 B.CK1 COLLABORATIVE .CK1 ADAPTIVE .www. C.CK3 ADAPTIVE . Traffic matching the "sdm-access" traffic class will be inspected.CK1 D. That policy map is applied to traffic sourced from the "self" zone and destined to the "out-zone" zone.CK3 COLLABORATIVE .CK2 COLLABORATIVE .CK2 ADAPTIVE .com Ac tua lTe sts QUESTION NO: 128 . Policy-based detection Answer: A Please choose the correct description about Cisco Self-Defending Network characteristics." .CK2 ADAPTIVE .

" .com Ac tua lTe sts .co m 68 . Any Time.www.actualtests.Cisco 640-553: Practice Exam QUESTION NO: 129 DRAG DROP Answer: Explanation: QUESTION NO: 130 DRAG DROP Answer: "Pass Any Exam.

actualtests. Any Time.co m 69 .Cisco 640-553: Practice Exam Explanation: QUESTION NO: 131 DRAG DROP Answer: Explanation: "Pass Any Exam.com Ac tua lTe sts .www." .

com Ac tua lTe sts .actualtests. Any Time.Cisco 640-553: Practice Exam QUESTION NO: 132 DRAG DROP Answer: Explanation: "Pass Any Exam." .co m 70 .www.

Any Time.Cisco 640-553: Practice Exam QUESTION NO: 133 DRAG DROP Answer: QUESTION NO: 134 DRAG DROP Match the descriptions on the left with the IKE phases on the right.co m 71 ." .www.actualtests.com Ac tua lTe sts . "Pass Any Exam.

Cisco 640-553: Practice Exam Answer: "Pass Any Exam.actualtests.co m 72 .www." . Any Time.com Ac tua lTe sts .

Sign up to vote on this title
UsefulNot useful